Today, there frequently are defects and/or security vulnerabilities or the like in pieces of software that make up an application. Often it takes time to move the fixes for the defects/vulnerabilities through the conventional process before the software application is deemed to be fixed. So, typically now if there is a bug, a developer needs to get an updated version of a piece of the software if using open source software, or a developer must pull up the source code and update the version himself, and then run it through the entire process of creating a version of the application with the update.
In practice, a developer may find out that there is a problem with an open source component that is being used in a software application. The developer will research the fix, go back into the development environment, update the component, re-run the integration test to ensure that all is functional, and then progress through the release process to release a new version. There is no way to do this without manually scouring code to find the vulnerability or bug.
In addition, there are situations where the ability to support a legacy custom application is much more problematic due to tack of understanding of the old application.
Consider Microsoft's Patch Tuesday as an example of a conventional way in which patches are released. Patch Tuesday is normally only once a month. Subsequent patches (and hence updates to pieces of software) will not be released until the next Patch Tuesday. During the time after Microsoft releases the patches, the hackers are reverse engineering the fixes and figuring out where the vulnerabilities are and creating corresponding exploits and then launching those.
Furthermore, Microsoft ships out many binary updates, e.g., to Windows, which can be installed, usually requiring a reboot of the Windows workstation.